Les Améliorations apportées à Consul zSecure

 

En Bref : Liste détaillée des améliorations apportées par chaque version Consul zSecure RACF version 1.6 Consul zSecure RACF version 1.5 Consul zSecure RACF version 1.4.5

En Bref

Consul zSecure 1.4

• Support des nouveautés de zOS 1.4 (entreprise identity mapping, …)
• nouveautés dans l ’interface ISPF et dans CARLa
• nouveau rapport SMF 30 pour faciliter la migration depuis RACFRW
• Compatible depuis OS/390 V2R6 jusqu’à zOS 1.4 !

Consul zSecure 1.4.5

• amélioration de la fonction de sortie via mail : disponible depuis ISPF et en CARLA
• les requêtes CARLA peuvent générer des WTOs et traps SNMP
• très nombreuses améliorations de l'interface ISPF

Consul zSecure 1.5

• Essentiellement : support de z/OS 1.5
• Support du z990
• Support des librairies de procédures dynamiques de JES2

Consul zSecure 1.6

• nouveau niveau de base de Consul zSecure
• support de la CDT dynamique (zOS 1.6)
• gestion améliorées des certificats digitaux
• gestion des CLASS de ressources
• nombreuses autres améliorations de l'interface

Liste détaillée des améliorations apportées par chaque version

Désolé, c’est en anglais

_

Consul zSecure 1.6

 Version 1.6 adds support for z/OS 1.6 and for the changes in the Security Server (RACF) in z/OS 1.6, including the dynamic Class Descriptor Table (CDT). zSecure version 1.6 can also be used if you are not planning to install z/OS 1.6, even OS/390 2.10 is supported by this version.

zSecure 1.6 adds facilities to maintain the dynamic CDT, which is only usable on z/OS 1.6, but other enhancements are just as useful in earlier z/OS (or OS/390) versions:

• Reports to manage digital certificates (DIGTCERT) more easily, and warn you of certificates that are due to expire (RA.5).
• A control center for SETROPTS and class options (RA.S).
• A Scope report that shows access granted to a user through PERMIT and CONNECT, in addition to the existing "Full scope" report (RA.3.4).
• The Supervisor Call (SVC) audit report takes additional exposures into account and assigns priorities in "severity brackets". In addition it takes into account standard SVCs that are easily mistaken for exposures (AU.S).
• All displays now offer cursor sensitive help. If you need information about a field, just position the cursor and press F1. A significant part of the reference manual has been copied into the help panels, so there is less need to refer to the documentation.
• The zCollect component will no longer "hang" when a disk volume is not responding to I/O requests. This used to happen when system programmers re-assign volumes without first bringing them offline. Also, zCollect issues an appropriate message when APF authority has been erroneously removed.
• A new, no charge, component can be used to create SMF records for all password changes. With a normal RACF system, only password changes during logon are not logged in SMF, so statistics about password changes are incomplete. The new component allows you to react on repeated password changes, which may be a sign of users defeating the password history mechanism.
• The installation process has been redesigned with the goal to slash the effort of subsequent installations (of the same or future versions) and the installation of PTFs. The installation parameters and the license information are now isolated in a "parameter data set" which is used for customization, instead of the current practice of changing the target datasets. In addition, the JCL (catalogued procedures) has been redesigned to support production JCL that is independent of the zSecure release.
• Whereas the current release issues a warning message for a future license expiration to all users of zSecure, in this version you can specify a list of users and only those users will get a warning message.
• New functions in the Consul Audit and Report Language (CARLa) allow you to include fields from different segments of a RACF profile on the same line. The general "lookup" function has also been improved.
• A new report for zAlert users shows the alerts that are enabled and whether the recipient of the report will receive such alerts.
• zAlert has a new alert that can be used to monitor highly authorized groups, and a heartbeat function that may be used to monitor the availability of zAlert and the communication between zAlert and your enterprise management console.

You can contact your support representative or send an e-mail to support@consul.com for the FTP login information or to request an installation tape or CDROM (SMPE or non-SMPE).

Support for Consul zSecure version 1.4.5 will cease in June 2005, version 1.5.0 will be supported until May 2006.

_

Consul zSecure 1.5

 Support for z/OS 1.5

• Dataset name hiding
• Using RACF to control privileges in DFHSM
• New SETROPTS keywords,
• SERVAUTH port of entry
• Write-down support in RACF
• Enhanced Data Integrity Bypass requests in SMF
• Security extensions in SMF record type 119

 Support for z990

 Support for JES2 dynamic proclibs

_

Consul zSecure RACF version 1.4.5

• The ISPF user interface now supports sending print format output directly as email.
• Possibilities for email output tailoring have been extended significantly.
• Email can now be sent real-time (i.e. as soon as ready).
• Email subject lines may now contain variable information.
• CARLa can now be used to generate WTO output (with the intent to trigger AOC rou- tines).
• CARLa can now be used to send SNMP traps to event consoles etc.
• Support has been added for a high-performance interface to obtain event records in real-time from Consul/zAlert. This is called the 'soft-end-of-file' feature. It applies to allocation type SMF and types defined by DEFTYPE.
• SMF 80 for UNIX file accesses now more often contains the full pathname by looking up the HFS auditid in the IOCONFIG snapshot.
• SMF records for VSAM now guess the most probable RACF profile if some informa- tion needed to be really sure is missing. This automates what an administrator would assume anyway if the profile field is empty. It has been made easier to find the best matching generic profile.
• The CNGRACF component can now be configured to check normal RACF scoping rules before checking for the $CNG.SCP.ID etc. profiles. This is done if the user has READ access on the $CNG.SCP.RACF resource. This makes it easier to deploy Consul/zVisual RACF for existing group administrators. It removes the discrepancy in scope decisions between CNGRACF and CNARACF, especially when using the new CARLa option SUP- PRESS NOT_MY_LIST_SCOPE.
• A number of enhancements have been made to RACF database merge based on user experience.
• Specific new CARLa constructs include:
  • New print option WTO to print the newlist output by means of Write To Operator calls. The WTOs are issued with routing code 9 (security) descriptor code 12 (informational). There is a new print option WTOTOFILE to write this output to ddname C2RWTO instead of really issuing WTOs.
  • New print option SNMP to generate Consul/zAlert SNMP traps. New option SNMPTO= to specify the trap destination and port. Relevant variables must be output one per line in 'name: value' format after an initial line just containing the trap number. The variable names are defined in the Consul/zAlert MIB (Management Information Base) shipped as SC2RSAMP(C2PMIB). There is a new print option SNMPTOFILE to write this output to ddname C2RSNMP instead of really sending SNMP UDP packets. There is no requirement for the snmpd daemon on z/OS to be active.
  • New print options SMTPWRITER, SMTPCLASS, and SMTPNJENODE to select to which SMTP image email must be sent (this dynamically allocates and spins off C2REMAIL for each email spurt). A new message with addressee and subject is logged to the SYSPRINT for each message sent. There is a new print option WTOTOFILE to write email to ddname C2RSMTP instead of really sending emails.
  • New print option MAILFONTSIZE= or MFS= to set the HTML font size for email output. The default has changed to 1 to support Outlook better.
  • Email address specifications may now contain multiple email addresses as in RFC 822 and RFC 2822. The whole RFC (2)822 compliant address list must be speci- fied as a (potentially multi-line) CARLa-quoted string. Almost the full standard is supported, except for some blank space in awkward places, and a limit of 255 char- acters.
  • The print option MAILTO= now has an alias TO and now may contain either an RFC (2)822 address list (must be in a CARLa string if it has embedded blanks), or a lookup specification :deftype.variable.
  • New print option REPLY-TO= to set the email Reply-to: field.
  • New print option FROM= to set the email From: field.
  • New print option CC= to set the email CC: field.
  • New print option BCC= to set the email BCC: field.
  • Print option ERRORMAILTO is no longer required if FROM or REPLY-TO has been specified.
  • A new field AUDITID has been added to NEWLIST TYPE=UNIX. It contains the auditid that is used to identify UNIX files in SMF type 80.
  • A new field UNIX_FILETYPE has been added to NEWLIST TYPE=SMF for record type 80 and 92 to be able to distinguish UNIX files and directories in the SMF proc- essing. This is only available if the HFS auditid can be found in the IOCONFIG snap- shot file.
  • New lookup fields have been added: IS_GRPSPEC, IS_GRPOPER, IS_GRPAUD and their aliases IS_GRPSPECIAL, IS_GRPAUDIT.
  • New SUPPRESS option NOT_MY_LIST_SCOPE to have a less restrictive view than the one yielded by SUPPRESS MYACCESS New SELECT keyword BESTMATCH to find only the actual best matches for a resource name (as opposed to MATCH that shows all potential matches).
  • Column header specifications may now cross a line boundary.
  • Lookup on variables defined with DEFINE is now supported.
  • New output format DATETIMEZONE to print a date in a format conforming to RFC 2579. e.g. '1992-5-26,13:30:15.0,-4:0'.
  • New NEWLIST option FIRST_PER_NAME to automatically suppress subsequent newlists with the same name. This makes it possible to generate CARLa that can contain identical subparts only needed once.
  • New ALLOC option GETPROC=loadmod to specify a high-performance real-time event input routine. This is meant for the Consul/zAlert interface routine C2PIORTN. It is valid for type SMF and types defined through DEFTYPE.
  • New ALLOC option CLEANUP to request cleanup after abends outside ISPF (it is done automatically within ISPF).
  • New ALLOC options LETRAPON and LETRAPOFF to activate or deactivate Language Environment trapping of abends. The default is on.
  • New DEBUG option SOFTEOF to obtain extra status messages pertaining to progress during soft-end-of-file processing.
  • New DEBUG option EMAIL to obtain partial parse result messages when parsing an RFC (2)822 email address list.
  • Default headers for newlist types defined through DEFTYPE now contain the actual type instead of 'CONSUL LISTING'.
• Specific new ISPF interface features include:
  • ISPF detail display panels now also display a popup action menu when action / is used, much like record level and summary level displays. It is more context sensi- tive than the message previously displayed.
  • More than 50 new ISPF 'busy' status messages have been added to track progress during potentially CPU intensive tasks like non-SMF log processing or trust anal- ysis.
  • The RESULTS panel now supports option M to send a report file as email.
  • Option SE.A has been added to configure Consul/zAlert. This is described in the Consul/zAlert manual.
  • Context sensitive field-level help has been added for newlist types ROUTER, AUTAB, RRNG, DSNT, TEMPLATE, SPT, CLASS, AUDIT, and SYSTEM.
  • In SETUP VIEW a new option has been added \"View only profiles you are allowed to list (auditor view)\". This is less restrictive than the other option \"View only pro- files you are allowed to change (administrator view)\".
  • The RA.D/R panels have been extended with support for finding profiles matching a resource name. Instead of a checkbox for EGN mask it now has 4 options: EGN mask, Exact, Match, and Any match. Option Match shows the best matching profile (maybe more than one for grouping classes). Option Any match shows all matching profiles (i.e. including those that are not used because there is a more spe- cific one).
  • The RA.U/G/D/R panels have been extended with a checkbox Specify scope to limit the output to profiles in a 3rd party's scope.
  • The SETUP OUTPUT panel now allows specifying SMTP writer, class, NJE node.